1.1. Controller – Eurocash S.A. with its registered office in Komorniki (62-052) at 11 Wiśniowa Street.
1.2. Personal Data – any information about a natural person, identified or identifiable by one or several factors defining his/her physical, physiological, genetic, psychic, economic, cultural, or social identity, including the IP of the device, location data, online identifier and information collected through cookie files and other similar technologies.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.5. Website – an online service run by the Controller at the address www.grupaeurocash.pl.
1.6. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
2.1. In connection with the User’s use of the website, the Controller collects data with the scope necessary to provide its respective services and collects information about the User’s activity on the Website. The detailed rules and purposes of processing the Personal Data collected during the use of the Website by the User are described below.
USE OF THE WEBSITE
3.1. Personal Data of all the persons using the Website (including the IP address or other identifiers and information collected through cookie files and other similar technologies) are processed by the Controller:
3.1.1. to provide services electronically to provide Users with access to the content collected on the Website – in this case, the legal basis for the processing is that processing is necessary for the performance of a contract (Article 6(1)(b) of GDPR);
3.1.2. for analytical and statistical purposes – in this case, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) GDPR) to analyze the activity of Users and their preferences in order to improve the functionalities used and the services provided;
3.1.3. for technical, administrative purposes and in order to ensure the security of the IT system and to manage the system – in this case, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to carry out IT and administrative work aimed at maintaining the security and proper functioning of the Website;
3.1.4. to determine and pursue possible claims or defend against claims – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to protect its rights;
3.1.5. for the marketing purposes of the Controller – the principles of Personal Data processing for marketing purposes are described in the “MARKETING” section.
3.2. Activity of a User on the Website, including his/her Personal Data, is recorded in system logs (a special computer program for storing a chronological record of information about events and actions concerning the IT system used for providing services by the Controller). The information collected in logs is processed mainly for purposes related to the provision of services. The Controller also processes the information for technical, administrative purposes and in order to ensure the security of the IT system and to manage the system and also for analytical and statistical purposes – in this respect, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to provide and improve the functionality offered to Users.
3.3. The Controller ensures technical solutions for contacting it using electronic contact forms on the Website. Using the form requires that Personal Data are provided, which is needed to contact the User and answer User’s inquiry. The User may also give other data to facilitate contact or inquiry handling. Provision of data marked as mandatory is required to accept and handle an inquiry, and the failure to provide them makes it impossible to handle it. The provision of other data is voluntary.
3.4. Personal Data are processed to identify the sender and handle his/her inquiry sent by the provided form – the legal basis for the processing is the necessity of the processing to perform a contract for providing a service (Article 6(1)(b) GDPR), in respect of data provided voluntarily the legal basis for the processing is the consent (Article 6(1)(a) GDPR).
3.5. Using the contact form available on the Website, it is also possible to contact another company of the Eurocash Group, but in this case, Eurocash S.A. is not the Controller of the Personal Data contained in the contact form.
3.6. The Controller processes the Personal Data of Users who visit the Controller’s profiles on social media (YouTube, LinkedIn). The data are processed only in connection with maintaining the profile, including in order to inform the Users about the Controller’s activity and promote various events, services, and products, and also for analytical and statistical purposes. The legal basis of the Personal Data processing by the Controller for the above purpose is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) to promote its own brand and analyze the activity and preferences of the Users who visit the Controller’s profiles on social media in order to improve the functionalities used and the services provided.
3.7. The above information does not apply to the processing of data by administrators of social networks (YouTube, LinkedIn). Detailed information on this purpose and the scope of data collection by social networks, can be found at the following links:
4.3. Below please find detailed information concerning the cookies used by the Controller on the Website. The Controller regularly uses tools to scan the Service to determine what cookies are stored on the User's device, in order to make the list of cookies used as accurate as possible. The Controller uses the following files: required, functional, analytical and social media cookies.
4.4. The Controller uses necessary cookies primarily to provide Users with the services and functionalities of the Website that the User wishes to use. These files are installed in particular for the purpose of remembering login sessions or filling out forms, as well as for the purpose of setting privacy options.
4.5. The legal basis for the processing of data in connection with the application of the required cookies is that such processing is necessary for the purposes of performing contracts (Article 6(1)((b) of the GDPR).
4.7. Functional cookies are used in order to remember and adjust the Website to the User's choices e.g. in terms of language preferences. Functional cookies may be installed by the Controller and its partners through the Website.
4.8. Analytical cookies make it possible to obtain information such as the number of visits and traffic sources of the Website. They are used to determine which pages are more popular and to understand how Users navigate the Website by storing statistics about the traffic on the Website. The processing is done to improve the performance of the Website. The information collected by these cookies is aggregated and is therefore not intended to establish the identity of the User. Analytical cookies may be installed by the Controller and its partners through the Website.
4.9. The legal basis for the processing of Personal Data in connection with the use of functional and analytical cookies by the Controller is its legitimate interest (Article 6(1)(f) of the GDPR), consisting in ensuring the highest standard of services rendered in the Website in connection with the User’s consent for the registration of such cookies (separately for analytical files and separately for functional files).
4.10. The processing of Personal data in connection with the use of functional and analytical cookies is subject to securing the User’s consent for the use of (separately) functional and analytical cookies through the platform for managing consents for cookies. The consent may be withdrawn at any time through that platform.
4.12. These cookies are installed by the Controller’s partners to match the displayed content on the social media used by the User. Based on the information from these cookies and activity on other sites or social media, an interest profile is built. This ensures that the content displayed is tailored to User’s individual needs. Social media cookies do not directly store personal information, but identify the web browser and hardware, and if the User accesses the Website via a mobile device, also the User's location. If the User does not allow the use of these cookies, the Controller will not be able to prevent the same content from being displayed or allow the User to like and share content posted by the Controller on social media.
5.1. The Controller and its partners apply various solutions and tools used for analytical and marketing purposes. Basic information regarding such tools is described below. For more detailed information on the use of such tools, please refer to the data privacy settings and the privacy policies of the relevant partner.
5.2. The current and complete list of the Controller’s Partners, is available at the link: https://grupaeurocash.pl/zaufani-partnerzy-grupy-eurocash.
5.3. Cookies of Google Analytics are files used by Google to analyse Users’ habits in regard to using the Website and to create statistics and reports concerning the functioning of the Website. Google does not use the collected data for User identification and does not combine such information to allow for the identification of Users. Detailed information about the scope and the terms of collecting data in connection with such services is available at: https://www.google.com/intl/pl/policies/privacy/partners.
5.4. LinkedIn plug-in is a tool that allows Users of the Website to access and view content on LinkedIn pages. The tool can display information available on LinkedIn, search boxes that link to information found on LinkedIn.com, LinkedIn advertisements, or advertisements of third-party products. In addition, as part of the tool, LinkedIn may capture data in order to analyse and track the User's movement on the Website or to determine the User's preferences. Detailed information about the scope and principles of data collection in connection with this service is available at the following link: https://www.linkedin.com/legal/privacy-policy#data
6.2. Consent is not required only in the case of cookies which must be applied to render any telecommunication services (data transmission for the purposes of displaying content) – the User does not have the option of disabling such cookies if he/she wishes to continue the use of the Website.
6.3. Consent for the collection of cookies in the Platform may be withdrawn through the cookies consent management platform. The User may go back to the banner by clicking on the following button “Manage cookies”
or by clicking on the button with the same content available in the footer of each subpage of the Platform.
6.4. After clicking on the banner, the User may withdraw consent by clicking on the “Manage cookies” button. Then it is necessary to move the scrollbar/uncheck a checkbox in the relevant category of cookies and click on “Save preferences and close”.
6.5. User may also withdraw consent by changing his/her browser settings. Detailed information is available by clicking the links below:
6.5.1. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet explorer-delete-manage-cookies7
6.5.2. Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
6.5.3. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
6.5.4. Opera: http://help.opera.com/Windows/12.10/pl/cookie.html/
6.5.5. Safari: https://support.apple.com/kb/PH5042?locale=en-GB.
6.6. User may at any time verify the status of his/her current privacy settings for the browser he/she is using via the tools available by clicking the links below:
7.1. The period of data processing by the Controller depends on the type of provided service and the purpose of the processing. In principle, data are processed for the entire period of providing the service or fulfilling a purchase order until the moment of withdrawing consent or filing an effective objection to the data processing in cases where the legal basis for the processing is the Controller’s legitimate interest.
7.2. The data processing period may be extended if the processing is necessary to determine and pursue possible claims or defend against claims and, after that time, only when and to the extent required by law. After the elapse of the processing period, the data are irreversibly deleted and anonymized.
RIGHTS OF DATA SUBJECTS
8.1. The following rights are vested in Data Subjects:
8.1.1. right to information on personal data processing – on that basis, the Controller provides the person making the request with information about data processing, including first of all about the purposes and legal grounds for the processing, the scope of the data held, entities to which they are disclosed and the planned date for deleting the data;
8.1.2. right to receive a copy of data – on that basis, the Controller provides a copy of the data processed to a person making the request;
8.1.3. right to rectification – the Controller is obligated to remove any non-compliance or errors in personal data processed and supplement them if they are incomplete;
8.1.4. right to erasure – on that basis, one may demand deleting the data whose processing is no longer necessary to achieve any of the purposes for which they were collected;
8.1.5. right to restriction of processing – if such a request is made, the Controller stops performing any operations on the personal data except for those to which the data subject has given consent and except storing them in accordance with the adopted retention rules or until the reasons for restricting the processing disappear (e.g. the data supervisory authority issues a decision permitting further data processing);
8.1.6. right to data portability – on this basis, to the extent that the data are processed in connection with an executed contract or given consent, the Controller delivers the data provided by the data subject in a machine-readable format. Is it also allowed to request that the data are transmitted to another entity on condition, though, that both the Controller and the other entity have the technical capabilities to do so;
8.1.7. right to object to personal data processing for marketing purposes – the data subject has the right to object at any time to personal data processing for marketing purposes without the obligation to justify such an objection;
8.1.8. right to object to data processing for other purposes – the data subject may object at any time to personal data processing carried out on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons connected with protecting property); such an objection should include a justification;
8.1.9. right to withdraw consent – if data are processed on the basis of a given consent, the data subject may withdraw it at any time, which does not have, however, any effect on the lawfulness of processing based on consent before its withdrawal.
8.1.10. right to complain – if the data subject believes that the personal data processing breaches the provisions of GDPR or other personal data protection regulations, the data subject has the right to lodge a complaint with the supervisory authority for the processing of Personal Data having jurisdiction over the Data Subject's habitual residence, place of work or place where the alleged infringement was committed. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
9.1. A request about exercising the rights of data subjects may be filed:
9.1.1. by letter to Controller’s office address;
9.1.2. by e-mail to the address: email@example.com
9.2. The request should, as far as possible, indicate precisely what the request is about, i.e. in particular:
9.2.1. what right the person submitting the request wishes to exercise (e.g., the right to receive a copy of the data, the right to erasure, etc.);
9.2.2. what processing the request relates to (e.g., use of a specific service, activity on a specific website, etc.);
9.2.3. what purposes of processing the request relates to (e.g., purposes related to the provision of services, etc.).
9.3. If the Controller is unable to identify the person filing a request on the basis of the notification made, the Controller will ask the petitioner for additional information. Provision of such data is not mandatory however, failure to provide them will result in a request recognition refusal.
9.4. The request may be filed in person or through an attorney-in-fact (e.g. a family member). In view of data security, the Controller encourages data subjects to use a power-of-attorney in the form certified by a notary public or an authorized legal counsel or attorney-at-law, which will significantly accelerate verification of the request’s authenticity.
9.5. A reply to the request should be provided within one month of its receipt. If it is necessary to extend the deadline, the Controller shall inform the applicant about the reasons for the delay.
9.6. Where the application is submitted to the Company electronically, the response is given in the same form unless the applicant requests otherwise. In all other cases, the response is given in writing. When the deadline for exercising the request makes it impossible to reply in writing and the applicant's data processed by the Controller allows for contact by electronic means, the response should be provided electronically.
10.1. The proceeding concerning filed requests is free of charge. Fees may be charged only if:
10.1.1. making a request to provide the second and each further copy of the data (the first copy is free of charge); in such a case, the Controller may demand that fees are paid in the amount of PLN 250. The above fee includes administrative expenses connected with recognizing the request.
10.1.2. making requests by the same person that are excessive (e.g. extremely frequent ones) or manifestly unfounded; in such a case, the Controller may demand that fees are paid in the amount of PLN 250. The above fee includes costs of carrying on communication and costs connected with taking requested actions.
10.2. If the data subject challenges the decision to charge fees, the person may lodge a complaint with a data supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. In Poland the competent Data Supervisory Authority is the President of the Personal Data Protection Office.
11.1. In certain cases, if necessary to achieve the purposes described above, Personal Data will be disclosed to external entities providing services to the Controller (e.g. IT service providers, analytical and marketing tool providers, analytical and marketing agencies).
11.2. The Controller reserves the right to disclose selected information items referring to the User to relevant authorities or third parties which will demand that they are provided such information pursuant to an appropriate legal basis and in compliance with prevailing laws.
12.1. The level of Personal Data protection outside the European Economic Area (EEA) differs from that guaranteed by the European law. For this reason, the Controller transmits Personal Data to places outside the EEA only when necessary and ensuring an adequate protection level, mainly by:
12.1.1. cooperating with Personal Data processors in the countries with respect to which a relevant decision of the European Commission has been issued; in some cases, the European Commission additionally requires that such processors should participate in programs approved by the European Commission that associate entities from outside the EEA and which participants are required to provide Personal Data the same level of protection as granted within European Union (for more detailed information, see here);
12.1.2. application of standard contractual clauses issued by the European Commission; along with the required additional security measures they provide Personal Data the same protection level as it prescribed in the European Union; standard contractual clauses can be found here;
12.1.3. application of binding corporate principles approved by the relevant supervisory authority.
12.2. n connection with the use of Webflow Inc. services by the Controller, Users' Personal Data shall be transferred outside the EEA, i.e. to the U.S., for the purpose of providing hosting services by this entity to the Controller. The transfer of Personal Data to a subcontractor Webflow Inc. located in the U.S., shall be based on an adequacy decision referred to in Section 12.1.1. in accordance with that subcontractor's registration on the Data Privacy Framework. list of self-certified entities. Current information on the subcontractor's registration on that list can be checked at the link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TT9jAAG&status=Active
13.1. The Controller conducts an ongoing risk analysis to ensure that Personal Data is processed in a secure manner, guaranteeing first of all that access to the data is provided only to authorized persons and only to the extent necessary for them to perform their tasks. The Controller makes sure that any operations on Personal Data are recorded and performed only by authorized employees or collaborators.
13.2. The Controller takes any necessary actions so that also its subcontractors and other cooperating entities guaranteed the application of appropriate security measures in each case when they process Personal Data on the Controller’s behalf.
14.1. The Controller may be contacted by e-mail firstname.lastname@example.org or by letter sent to the address.
14.2. The Controller has appointed a Data Protection Officer that may be contacted by e-mail email@example.com, and in writing at Controller’s seat address in any matter concerning personal data processing.
15.1. The Policy is verified on an ongoing basis and updated when needed.
15.2. The present version of the Policy was approved and has been in force since 20.07.2023.